Digital security professionals usually associate "security awareness" with initiatives to educate employees. The idea is that if the security staff can teach employees to be wary online, they will be less likely to fall prey to various forms of cyber-attack. I agree with this philosophy, and I find it difficult to believe that anyone would argue against training employees. However, security staff should do some level of cost-benefit analysis to ensure that the resources expended on training do not exceed the benefits!

Still, there is a point of diminishing returns to security awareness. The most effective programs I've seen have reduced "click through" rates for self-phishing testing from the double digit rate (anywhere from 50% in some cases) to the mid-to-low single digit rate (~5%). This sort of reduction can equate to substantial risk and cost reduction. When employees no longer fall for attacks that result in compromised systems, the load on their incident response team is lessened and the adversary has fewer opportunities to steal or degrade data.

Because security awareness programs can't eliminate human vulnerabilities, all organizations will carry some amount of risk that can't be avoided through training. This fact drives the second meaning of the term "security awareness" - the capacity for the security team to understand what is happening in their environment. Thus, while some people turn to self-phishing exercises to show how much risk they've eliminated, I recommend recognizing how much risk still remains.

Therefore, the best security awareness programs demonstrate that despite strong human-centric controls and countermeasures, organizations will eventually be compromised. In these situations, how does the security team become aware of what's managed to defeat their technical and social defenses? At Mandiant we stress tactics like sweeping endpoints for indicators of compromise (IOC), followed by close analysis of systems that demonstrate signs of intruder activity. We also recommend comprehensive network security monitoring programs to collect and analysis indications and warnings to detect and respond to intrusions. By combining host- and network-centric analysis, tuned for the threats likely to affect the enterprise, security teams can maintain the security awareness needed to identify and contain intruders who fool well-intentioned employees.